diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/.htaccess | 12 | ||||
| -rw-r--r-- | src/admin/export.php | 2 | ||||
| -rw-r--r-- | src/admin/files.php | 1 | ||||
| -rw-r--r-- | src/admin/problem.php | 6 | ||||
| -rw-r--r-- | src/fcontest.php | 2 | ||||
| -rw-r--r-- | src/filedownload.php | 4 | ||||
| -rw-r--r-- | src/frun.php | 15 | ||||
| -rw-r--r-- | src/getcode.php | 10 | ||||
| -rwxr-xr-x | src/globals.php | 14 | ||||
| -rw-r--r-- | src/hex.php | 23 | ||||
| -rw-r--r-- | src/judge/clar.php | 2 | ||||
| -rw-r--r-- | src/judge/runedit.php | 2 | ||||
| -rw-r--r-- | src/judge/team.php | 2 | ||||
| -rw-r--r-- | src/scoretable.php | 7 | ||||
| -rw-r--r-- | src/site/get.php | 2 | ||||
| -rw-r--r-- | src/system/importxml.php | 2 | ||||
| -rw-r--r-- | src/team/header.php | 2 | ||||
| -rw-r--r-- | src/team/run.php | 11 | ||||
| -rw-r--r-- | src/version | 2 | ||||
| -rw-r--r-- | src/versionnum.php | 4 |
20 files changed, 77 insertions, 48 deletions
diff --git a/src/.htaccess b/src/.htaccess index 7c89b5b..99fda17 100644 --- a/src/.htaccess +++ b/src/.htaccess @@ -1,5 +1,7 @@ -php_flag output_buffering on -php_value memory_limit 1024M -php_value post_max_size 128M -php_flag magic_quotes_gpc off -php_value upload_max_filesize 128M +<IfModule !mod_proxy_fcgi.c> + php_flag output_buffering on + php_value memory_limit 1024M + php_value post_max_size 128M + php_flag magic_quotes_gpc off + php_value upload_max_filesize 128M +</IfModule> diff --git a/src/admin/export.php b/src/admin/export.php index 2682c94..10a595d 100644 --- a/src/admin/export.php +++ b/src/admin/export.php @@ -51,7 +51,7 @@ if(isset($_POST["Submit"]) || isset($_POST['Submit1'])) { if(isset($_POST['nopassword']) && $_POST['nopassword']=='true') echo $xml; else - echo rawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); + echo myrawurlencode($_POST['challenge']) . " " . encryptData($xml,($_POST['password'])); exit; } } diff --git a/src/admin/files.php b/src/admin/files.php index 16f0f2d..30ce320 100644 --- a/src/admin/files.php +++ b/src/admin/files.php @@ -59,7 +59,6 @@ for ($i=0; $i<count($run); $i++) { echo " <td nowrap>" . dateconvsimple($run[$i]["timestamp"]) . "</td>\n"; echo " <td nowrap>" . $run[$i]["usernumber"] . " (" . $run[$i]["usersitenumber"] . ")</td>\n"; - $if = rawurlencode($run[$i]["filename"]); if($run[$i]["status"]=="active") { echo "<td nowrap><a href=\"../filedownload.php?". filedownload($run[$i]["oid"],$run[$i]["filename"]) . "\">"; echo $run[$i]["filename"] . "</a>"; diff --git a/src/admin/problem.php b/src/admin/problem.php index a01bd35..33e887c 100644 --- a/src/admin/problem.php +++ b/src/admin/problem.php @@ -26,7 +26,7 @@ if(($ct = DBContestInfo($_SESSION["usertable"]["contestnumber"])) == null) if (isset($_GET["delete"]) && is_numeric($_GET["delete"]) && isset($_GET["input"])) { $param = array(); $param['number']=$_GET["delete"]; - $param['inputfilename']=$_GET["input"]; + $param['inputfilename']=myrawurldecode($_GET["input"]); if(!DBDeleteProblem ($_SESSION["usertable"]["contestnumber"], $param)) { MSGError('Error deleting problem'); LogError('Error deleting problem'); @@ -262,11 +262,11 @@ for ($i=0; $i<count($prob); $i++) { echo " <tr>\n"; if($prob[$i]["fake"]!='t') { if(strpos($prob[$i]["fullname"],"(DEL)") !== false) { - echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf3('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; echo "(deleted)"; } else { - echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . rawurlencode($prob[$i]["inputfilename"]) . + echo " <td nowrap><a href=\"javascript: conf2('problem.php?delete=" . $prob[$i]["number"] . "&input=" . myrawurlencode($prob[$i]["inputfilename"]) . "')\">" . $prob[$i]["number"]; } echo "</a></td>\n"; diff --git a/src/fcontest.php b/src/fcontest.php index e61631b..9989931 100644 --- a/src/fcontest.php +++ b/src/fcontest.php @@ -125,7 +125,7 @@ CREATE TABLE \"sitetimetable\" ( $r = DBexec($c, "CREATE INDEX \"sitetimesite_index\" ON \"sitetimetable\" USING btree ". "(\"contestnumber\" int4_ops, \"sitenumber\" int4_ops)", "DBCreateSiteTimeTable(create site_index)"); } -// begin; update answertable set updatetime=EXTRACT(EPOCH FROM now()); +// begin; update answertable set updatetime=EXTRACT(EPOCH FROM now()); select * from answertable; // begin; update langtable set updatetime=EXTRACT(EPOCH FROM now()); select * from langtable; // begin; update problemtable set updatetime=EXTRACT(EPOCH FROM now()); select * from problemtable; diff --git a/src/filedownload.php b/src/filedownload.php index 6b56ca9..e1ef6b9 100644 --- a/src/filedownload.php +++ b/src/filedownload.php @@ -34,10 +34,10 @@ if(!isset($_GET["oid"]) || !is_numeric($_GET["oid"]) || !isset($_GET["filename"] } $cf = globalconf(); -$fname = decryptData(rawurldecode($_GET["filename"]), session_id() . $cf["key"]); +$fname = decryptData(myrawurldecode($_GET["filename"]), session_id() . $cf["key"]); if(isset($_GET["msg"])) - $p = myhash($_GET["oid"] . $fname . rawurldecode($_GET["msg"]) . session_id() . $cf["key"]); + $p = myhash($_GET["oid"] . $fname . myrawurldecode($_GET["msg"]) . session_id() . $cf["key"]); else $p = myhash($_GET["oid"] . $fname . session_id() . $cf["key"]); diff --git a/src/frun.php b/src/frun.php index 473c4a5..bc9dc2f 100644 --- a/src/frun.php +++ b/src/frun.php @@ -359,13 +359,14 @@ function DBGetRunToAnswerC($number,$site,$contest,$chief) { "r.runnumber=$number"; if ($chief != 1) { $sql .= " and (r.runstatus='openrun' or " . - "(r.runstatus='judged+' and r.runjudge is NULL) or " . - "((r.runstatus='judging' or r.runstatus='judged+') and " . - " (r.runjudge1 is null or r.runjudge2 is null or " . - " ((r.runjudge1=" . $_SESSION["usertable"]["usernumber"] . " and " . - " r.runjudgesite1=" . $_SESSION["usertable"]["usersitenumber"] . ") or " . - " (r.runjudge2=" . $_SESSION["usertable"]["usernumber"] . " and " . - " r.runjudgesite2=" . $_SESSION["usertable"]["usersitenumber"] . ")))))"; + "(r.runstatus='judged+' and r.runjudge is NULL) or " . + "((r.runstatus='judging' or r.runstatus='judged+') and " . + " (r.runjudge1 is null or " . + " (r.runjudge2 is null)" . // " and (" . $_SESSION["usertable"]["usernumber"] . ">=120000 or r.runjudge1>=120000))" . + " or ((r.runjudge1=" . $_SESSION["usertable"]["usernumber"] . " and " . + " r.runjudgesite1=" . $_SESSION["usertable"]["usersitenumber"] . ") or " . + " (r.runjudge2=" . $_SESSION["usertable"]["usernumber"] . " and " . + " r.runjudgesite2=" . $_SESSION["usertable"]["usersitenumber"] . ")))))"; $tx = "Judge"; } else $tx = "Chief"; $r = DBExec ($c, $sql . " for update", "DBGetRunToAnswerC(get run/prob/lang for update)"); diff --git a/src/getcode.php b/src/getcode.php index 407a00b..677aeeb 100644 --- a/src/getcode.php +++ b/src/getcode.php @@ -25,7 +25,13 @@ srand(make_seed()); function myhash($k) { return hash('sha256',$k); } -$iv = "1234567812345678"; +if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; +} +$clen = openssl_cipher_iv_length('aes-256-cbc'); +$iv = substr(myhash(openssl_random_pseudo_bytes($clen)),0,$clen); if(isset($_GET["name"]) && $_GET["name"] != "" ) { $name = $_GET["name"]; @@ -46,7 +52,7 @@ if(isset($_GET["name"]) && $_GET["name"] != "" ) { "chmod 600 /root/submissions/code\n"; if(($str = @file_get_contents("/var/www/boca/src/private/run-past.code")) !== false) $txt .= $str; - echo openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,16), 1, $iv); //OPENSSL_RAW_DATA, $iv); //php 5.4.0 + echo $iv . ":\n" . openssl_encrypt($txt, "aes-256-cbc", substr($secret[1],0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); //OPENSSL_RAW_DATA, $iv); //php 5.4.0 @file_put_contents("/var/www/boca/src/private/run-past.log", $name . "|" . $cc . "|" . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND); exit; } diff --git a/src/globals.php b/src/globals.php index fbbecce..f49d26b 100755 --- a/src/globals.php +++ b/src/globals.php @@ -32,12 +32,20 @@ function sanitizeVariables(&$item, $key) } } +function myrawurlencode($txt) { + return(rawurlencode(base64_encode($txt))); +} + +function myrawurldecode($txt) { + return(rawurldecode(base64_encode($txt))); +} + function filedownload($oid,$fname,$msg='') { $cf = globalconf(); - $if = rawurlencode(encryptData($fname, session_id() . $cf['key'],false)); + $if = myrawurlencode(encryptData($fname, session_id() . $cf['key'],false)); $p = myhash($oid . $fname . $msg . session_id() . $cf["key"]); $str = "oid=". $oid . "&filename=". $if . "&check=" . $p; - if($msg != '') $str .= "&msg=" . rawurlencode($msg); + if($msg != '') $str .= "&msg=" . myrawurlencode($msg); return $str; } function dirrec($dir, $user, $group, $dirPermissions, $filePermissions, $avoid=array()) { @@ -217,6 +225,8 @@ function sanitizeFilename($text) } function unsanitizeText($text) { + $text = str_replace("<", "<", $text); + $text = str_replace(">", ">", $text); $text = str_replace("&", "&", $text); return $text; } diff --git a/src/hex.php b/src/hex.php index 104b331..2062d69 100644 --- a/src/hex.php +++ b/src/hex.php @@ -15,7 +15,7 @@ // You should have received a copy of the GNU General Public License // along with this program. If not, see <http://www.gnu.org/licenses/>. //////////////////////////////////////////////////////////////////////////////// -// Last modified: 21/july/2012 by cassio@ime.usp.br +// Last modified: 22/aug/2018 by cassio@ime.usp.br function myshorthash($k) { return hash('sha1',$k); } @@ -27,26 +27,30 @@ function myhmac($k,$d) { } function encryptData($text,$key,$compress=true) { - if(!function_exists('mcrypt_get_iv_size')) { - MSGError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); - LogError("Encryption error -- mcrypt not installed -- contact an admin (" . getFunctionName() .")"); + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); return ""; } - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); - $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); + $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); $grade='##'; if($compress) { $text = zipstr($text); $grade = '@#'; } - $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $text . myshorthash($text) . $grade, MCRYPT_MODE_CBC, $iv); + $crypttext = openssl_encrypt($text . myshorthash($text) . $grade, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); return base64_encode($crypttext . $iv); } function decryptData($crypttext,$key,$txt='') { + if(!function_exists('openssl_cipher_iv_length')) { + MSGError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + LogError("Encryption error -- php openssl not installed -- contact an admin (" . getFunctionName() .")"); + return ""; + } $crypttext = base64_decode($crypttext); - $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); + $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc')); $test1=''; $test2='x'; $clen = strlen($crypttext); @@ -54,7 +58,8 @@ function decryptData($crypttext,$key,$txt='') { $iv = substr($crypttext, $clen-$iv_size, $iv_size); $crypttext = substr($crypttext, 0, $clen-$iv_size); $key = myhash($key . "123456789012345678901234567890"); // . myhash($key); - $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, substr(pack("H*", $key),0,32), $crypttext, MCRYPT_MODE_CBC, $iv); + + $decrypttext = openssl_decrypt($crypttext, 'aes-256-cbc', substr(pack("H*", $key),0,32), OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv); $pos = strrpos($decrypttext,"#"); $iscompressed=false; if(substr($decrypttext,$pos-1,1)=='@') $iscompressed=true; diff --git a/src/judge/clar.php b/src/judge/clar.php index a5d56ce..ee120ab 100644 --- a/src/judge/clar.php +++ b/src/judge/clar.php @@ -49,7 +49,7 @@ $clar = DBOpenClarsInSites($_SESSION["usertable"]["contestnumber"], $s["sitejudg for ($i=0; $i<count($clar); $i++) { echo " <tr>\n"; - if (strpos($clar[$i]["status"], "answered") === false) + if (strpos($clar[$i]["status"], "answered") === false) // && strpos($_SESSION["usertable"]['username'], "setter") !== false) echo " <td nowrap><a href=\"claredit.php?clarnumber=".$clar[$i]["number"]."&clarsitenumber=".$clar[$i]["site"] . "\">" . $clar[$i]["number"] . "</td>\n"; else diff --git a/src/judge/runedit.php b/src/judge/runedit.php index e53b3a3..c77f26e 100644 --- a/src/judge/runedit.php +++ b/src/judge/runedit.php @@ -101,8 +101,6 @@ $b = DBGetProblemData($_SESSION["usertable"]["contestnumber"], $a["problemnumber <td width="83%"> <?php for ($i=0;$i<count($b);$i++) { - $if = rawurlencode($b[$i]["inputfilename"]); - echo "<a href=\"../filedownload.php?". filedownload($b[$i]["inputoid"],$b[$i]["inputfilename"]) . "\">"; echo basename($b[$i]["inputfilename"]) . "</a>"; } diff --git a/src/judge/team.php b/src/judge/team.php index 745380a..13e3e4e 100644 --- a/src/judge/team.php +++ b/src/judge/team.php @@ -75,7 +75,7 @@ $redo = TRUE; if(!isset($_SESSION['forceredo']) || $_SESSION['forceredo']==false) { $actualdelay = 30; if(file_exists($runtmp)) { - if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE)) { + if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE)) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $conf=globalconf(); diff --git a/src/scoretable.php b/src/scoretable.php index 3f785f3..2010bc1 100644 --- a/src/scoretable.php +++ b/src/scoretable.php @@ -91,7 +91,7 @@ if($ds=="") $ds = "/"; $scoretmp = $_SESSION["locr"] . $ds . "private" . $ds . "scoretmp" . $ds . $_SESSION["usertable"]["usertype"] . '-' . $_SESSION["usertable"]["username"] . ".php"; $redo = TRUE; if(file_exists($scoretmp)) { - if(($strtmp = file_get_contents($scoretmp,FALSE,NULL,-1,100000)) !== FALSE) { + if(($strtmp = file_get_contents($scoretmp,FALSE,NULL,0,5000000)) !== FALSE) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $redo = FALSE; @@ -398,11 +398,14 @@ if($redo) { if(isset($conf['doenc']) && $conf['doenc']) $strtmp = "<!-- " . time() . " --> <?php exit; ?>\n" . encryptData($strtmp,$conf["key"],false); else $strtmp = "<!-- " . time() . " --> <?php exit; ?>\n" . $strtmp; - if(file_put_contents($scoretmp, $strtmp,LOCK_EX)===FALSE) { + $randnum = session_id() . "_" . rand(); + if(file_put_contents($scoretmp . "_" . $randnum, $strtmp,LOCK_EX)===FALSE) { if($_SESSION["usertable"]["usertype"] == 'admin') { MSGError("Cannot write to the score cache file -- performance might be compromised"); } LOGError("Cannot write to the ".$_SESSION["usertable"]["usertype"]."-score cache file -- performance might be compromised"); + } else { + @rename($scoretmp . "_" . $randnum, $scoretmp); } $conf=globalconf(); if(isset($conf['doenc']) && $conf['doenc']) diff --git a/src/site/get.php b/src/site/get.php index 81ede0d..45efd68 100644 --- a/src/site/get.php +++ b/src/site/get.php @@ -46,7 +46,7 @@ if($ct["contestlocalsite"]==$ct["contestmainsite"]) { } if(isset($_POST) && isset($_POST['xml'])) { // $fp=fopen('/tmp/aaa',"w"); fwrite($fp,$_POST['xml']); fclose($fp); - $s = decryptData(rawurldecode($_POST['xml']),myhash($_SESSION["usertable"]["userpassword"])); + $s = decryptData($_POST['xml'],myhash($_SESSION["usertable"]["userpassword"])); // $fp=fopen('/tmp/aaa1',"w"); fwrite($fp,$s); fclose($fp); $ac=array(); diff --git a/src/system/importxml.php b/src/system/importxml.php index 5fcaef3..6e6107e 100644 --- a/src/system/importxml.php +++ b/src/system/importxml.php @@ -156,7 +156,7 @@ if(isset($_POST["Submit"])) { exit; } else - $id = rawurldecode(strtok($ar," \n\t")); + $id = myrawurldecode(strtok($ar," \n\t")); } } } else { diff --git a/src/team/header.php b/src/team/header.php index ec7352a..c02166b 100644 --- a/src/team/header.php +++ b/src/team/header.php @@ -60,7 +60,7 @@ $runtmp = $_SESSION["locr"] . $ds . "private" . $ds . "runtmp" . $ds . "run-cont "-site". $_SESSION["usertable"]["usersitenumber"] . "-user" . $_SESSION["usertable"]["usernumber"] . ".php"; $doslow=true; if(file_exists($runtmp)) { - if(($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE) { + if(($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE) { $postab=strpos($strtmp,"\t"); $conf=globalconf(); $strcolors = decryptData(substr($strtmp,$postab+1,strpos($strtmp,"\n")-$postab-1),$conf['key'],''); diff --git a/src/team/run.php b/src/team/run.php index 077b76c..32c0d25 100644 --- a/src/team/run.php +++ b/src/team/run.php @@ -291,11 +291,13 @@ $redo = TRUE; if(!isset($_SESSION['forceredo']) || $_SESSION['forceredo']==false) { $actualdelay = 15; if(file_exists($runtmp)) { - if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,-1,1000000)) !== FALSE)) { + if(isset($strtmp) || (($strtmp = file_get_contents($runtmp,FALSE,NULL,0,1000000)) !== FALSE)) { list($d) = sscanf($strtmp,"%*s %d"); if($d > time() - $actualdelay) { $conf=globalconf(); - $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp = decryptData(substr($strtmp,strpos($strtmp,"\n")+1),$conf["key"],'runtmp'); + else $strtmp = substr($strtmp,strpos($strtmp,"\n")+1); if($strtmp !== false) $redo = FALSE; } @@ -416,7 +418,10 @@ if($redo) { "</form>\n"; } $conf=globalconf(); - $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + if(isset($conf['doenc']) && $conf['doenc']) + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . encryptData($strcolors,$conf["key"],false) . "\n" . encryptData($strtmp,$conf["key"],false); + else + $strtmp1 = "<!-- " . time() . " --> <?php exit; ?>\t" . $strcolors . "\n" . $strtmp; $randnum = session_id() . "_" . rand(); if(file_put_contents($runtmp . "_" . $randnum, $strtmp1,LOCK_EX)===FALSE) { if(!isset($_SESSION['writewarn'])) { diff --git a/src/version b/src/version index e466e5e..99637e4 100644 --- a/src/version +++ b/src/version @@ -1 +1 @@ -boca-1.5.13 +boca-1.5.14 diff --git a/src/versionnum.php b/src/versionnum.php index a833695..fc9810f 100644 --- a/src/versionnum.php +++ b/src/versionnum.php @@ -1,5 +1,5 @@ <?php -$BOCAVERSION='boca-1.5.13'; -$YEAR='2017'; +$BOCAVERSION='boca-1.5.14'; +$YEAR='2018'; ?> |